CVE-2010-4175
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Undecided
|
Unassigned | |||
Dapper |
Undecided
|
Unassigned | |||
Hardy |
Undecided
|
Unassigned | |||
Karmic |
Medium
|
Brad Figg | |||
Lucid |
Medium
|
Brad Figg | |||
Maverick |
Medium
|
Brad Figg | |||
Natty |
Undecided
|
Unassigned | |||
linux-fsl-imx51 (Ubuntu) |
Undecided
|
Unassigned | |||
Dapper |
Undecided
|
Unassigned | |||
Hardy |
Undecided
|
Unassigned | |||
Karmic |
Undecided
|
Unassigned | |||
Lucid |
Undecided
|
Paolo Pisati | |||
Maverick |
Undecided
|
Unassigned | |||
Natty |
Undecided
|
Unassigned | |||
linux-ti-omap4 (Ubuntu) |
Undecided
|
Unassigned | |||
Dapper |
Undecided
|
Unassigned | |||
Hardy |
Undecided
|
Unassigned | |||
Karmic |
Undecided
|
Unassigned | |||
Lucid |
Undecided
|
Unassigned | |||
Maverick |
Undecided
|
Paolo Pisati | |||
Natty |
Undecided
|
Unassigned |
Bug Description
In rds_cmsg_
restricted to less than UINT_MAX. This seems to need a tighter upper
bound, since the calculation of total iov_size can overflow, resulting
in a small sock_kmalloc() allocation. This would probably just result
in walking off the heap and crashing when calling rds_rdma_pages() with
a high count value. If it somehow doesn't crash here, then memory
corruption could occur soon after.
CVE References
- 2010-3296
- 2010-3297
- 2010-3858
- 2010-3859
- 2010-3880
- 2010-4073
- 2010-4076
- 2010-4077
- 2010-4080
- 2010-4081
- 2010-4082
- 2010-4083
- 2010-4157
- 2010-4158
- 2010-4162
- 2010-4163
- 2010-4169
- 2010-4175
- 2010-4242
- 2010-4243
- 2010-4248
- 2010-4251
- 2010-4256
- 2010-4565
- 2010-4649
- 2010-4805
- 2011-0463
- 2011-0695
- 2011-0711
- 2011-0726
- 2011-1010
- 2011-1012
- 2011-1013
- 2011-1016
- 2011-1017
- 2011-1019
- 2011-1020
- 2011-1078
- 2011-1079
- 2011-1080
- 2011-1082
- 2011-1090
- 2011-1093
- 2011-1160
- 2011-1163
- 2011-1169
- 2011-1170
- 2011-1171
- 2011-1172
- 2011-1173
- 2011-1180
- 2011-1478
- 2011-1493
- 2011-1494
- 2011-1577
- 2011-1598
- 2011-1748
- 2011-1770
- 2011-1833
- 2011-2484
- 2011-2492
- 2011-2534
- 2011-2699
- 2011-2918
security vulnerability: | no → yes |
description: | updated |
Changed in linux (Ubuntu Natty): | |
status: | New → Fix Released |
Changed in linux (Ubuntu Maverick): | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Brad Figg (brad-figg) |
Changed in linux (Ubuntu Lucid): | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Brad Figg (brad-figg) |
Changed in linux (Ubuntu Karmic): | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Brad Figg (brad-figg) |
Changed in linux (Ubuntu Hardy): | |
status: | New → Invalid |
Changed in linux (Ubuntu Dapper): | |
status: | New → Invalid |
Changed in linux (Ubuntu Karmic): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Lucid): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Maverick): | |
status: | In Progress → Fix Committed |
tags: | added: kernel-cve-tracker |
Launchpad Janitor (janitor) wrote : | #2 |
This bug was fixed in the package linux - 2.6.31-23.74
---------------
linux (2.6.31-23.74) karmic-proposed; urgency=low
[ Steve Conklin ]
* Release Tracking Bug
- LP: #725232
[ Upstream Kernel Changes ]
* bluetooth: Fix missing NULL check, CVE-2010-4242
- LP: #714846
- CVE-2010-4242
* bio: take care not overflow page count when mapping/copying user data,
CVE-2010-4162
- LP: #721441
- CVE-2010-4162
* filter: make sure filters dont read uninitialized memory
- LP: #721282
- CVE-2010-4158
* tty: Make tiocgicount a handler, CVE-2010-4076, CVE-2010-4077
- LP: #720189
- CVE-2010-4077
* block: check for proper length of iov entries in blk_rq_
CVE-2010-4163
- LP: #721504
- CVE-2010-4163
* block: check for proper length of iov entries earlier in
blk_
- LP: #721504
- CVE-2010-4163
* rds: Integer overflow in RDS cmsg handling, CVE-2010-4175
- LP: #721455
- CVE-2010-4175
-- Steve Conklin <email address hidden> Fri, 25 Feb 2011 14:20:16 -0600
Changed in linux (Ubuntu Karmic): | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #3 |
This bug was fixed in the package linux - 2.6.32-30.59
---------------
linux (2.6.32-30.59) lucid-proposed; urgency=low
[ Steve Conklin ]
* Release Tracking Bug
- LP: #727336
[ Tim Gardner ]
* [Config] CONFIG_
- LP: #723819
[ Upstream Kernel Changes ]
* virtio_net: Add schedule check to napi_enable call
- LP: #579276
* NFS: fix the return value of nfs_file_fsync()
- LP: #585657
* block: check for proper length of iov entries earlier in
blk_
- LP: #721504
- CVE-2010-4163
* filter: make sure filters dont read uninitialized memory
- LP: #721282
- CVE-2010-4158
* tty: Make tiocgicount a handler, CVE-2010-4076, CVE-2010-4077
- LP: #720189
- CVE-2010-4077
* staging: usbip: remove double giveback of URB
- LP: #723819
* USB: EHCI: ASPM quirk of ISOC on AMD SB800
- LP: #723819
* rt2x00: add device id for windy31 usb device
- LP: #723819
* ALSA: snd-usb-us122l: Fix missing NULL checks
- LP: #723819
* hwmon: (via686a) Initialize fan_div values
- LP: #723819
* USB: serial: handle Data Carrier Detect changes
- LP: #723819
* USB: CP210x Add two device IDs
- LP: #723819
* USB: CP210x Removed incorrect device ID
- LP: #723819
* USB: usb-storage: unusual_devs update for Cypress ATACB
- LP: #723819
* USB: usb-storage: unusual_devs update for TrekStor DataStation maxi g.u
external hard drive enclosure
- LP: #723819
* USB: usb-storage: unusual_devs entry for CamSport Evo
- LP: #723819
* USB: usb-storage: unusual_devs entry for Coby MP3 player
- LP: #723819
* USB: serial: Updated support for ICOM devices
- LP: #723819
* USB: adding USB support for Cinterion's HC2x, EU3 and PH8 products
- LP: #723819
* USB: EHCI: ASPM quirk of ISOC on AMD Hudson
- LP: #723819
* USB: EHCI: fix DMA deallocation bug
- LP: #723819
* USB: g_printer: fix bug in module parameter definitions
- LP: #723819
* USB: io_edgeport: fix the reported firmware major and minor
- LP: #723819
* USB: ti_usb: fix module removal
- LP: #723819
* USB: Storage: Add unusual_devs entry for VTech Kidizoom
- LP: #723819
* USB: ftdi_sio: add ST Micro Connect Lite uart support
- LP: #723819
* USB: cdc-acm: Adding second ACM channel support for Nokia N8
- LP: #723819
* USB: ftdi_sio: Add VID=0x0647, PID=0x0100 for Acton Research
spectrograph
- LP: #723819
* USB: prevent buggy hubs from crashing the USB stack
- LP: #723819
* staging: comedi: add support for newer jr3 1-channel pci board
- LP: #723819
* staging: comedi: ni_labpc: Use shared IRQ for PCMCIA card
- LP: #723819
* Staging: hv: fix sysfs symlink on hv block device
- LP: #723819
* staging: hv: Enable sending GARP packet after live migration
- LP: #723819
* hvc_iucv: allocate memory buffers for IUCV in zone DMA
- LP: #723819
* iwlagn: enable only rfkill interrupt when device is down
- LP: #723819
* ath9k: Fix bug in delimiter padding computation
- LP: #723819
* correct vdso version string
- LP: #723819
* fix medium error problems with so...
Changed in linux (Ubuntu Lucid): | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #4 |
This bug was fixed in the package linux - 2.6.35-28.49
---------------
linux (2.6.35-28.49) maverick-proposed; urgency=low
[ Brad Figg ]
* Release Tracking Bug
- LP: #726796
[ Colin Ian King ]
* SAUCE: Dell All-In-One: Remove need for Dell module alias
[ Manoj Iyer ]
* SAUCE: add ricoh 0xe823 pci id.
- LP: #717435
[ Upstream Kernel Changes ]
* virtio_net: Add schedule check to napi_enable call
- LP: #579276
* mmc: make sdhci work with ricoh mmc controller
- LP: #717435
* NFS: fix the return value of nfs_file_fsync()
- LP: #585657
* rt2x00: Pad beacon to multiple of 32 bits.
- LP: #659143
* rt2x00: Fix firmware loading regression on x86_64.
- LP: #659143
* rt2x00: Check for errors from skb_pad() calls
- LP: #659143
* block: check for proper length of iov entries earlier in
blk_
- LP: #721504
- CVE-2010-4163
* tty: Make tiocgicount a handler, CVE-2010-4076, CVE-2010-4077
- LP: #720189
- CVE-2010-4077
- CVE-2010-4076
* rds: Integer overflow in RDS cmsg handling, CVE-2010-4175
- LP: #721455
- CVE-2010-4175
-- Brad Figg <email address hidden> Mon, 28 Feb 2011 13:02:53 -0800
Changed in linux (Ubuntu Maverick): | |
status: | Fix Committed → Fix Released |
Changed in linux-ti-omap4 (Ubuntu): | |
status: | New → Invalid |
Changed in linux-ti-omap4 (Ubuntu Dapper): | |
status: | New → Invalid |
Changed in linux-ti-omap4 (Ubuntu Hardy): | |
status: | New → Invalid |
Changed in linux-ti-omap4 (Ubuntu Karmic): | |
status: | New → Invalid |
Changed in linux-ti-omap4 (Ubuntu Lucid): | |
status: | New → Invalid |
Changed in linux-ti-omap4 (Ubuntu Natty): | |
status: | New → Fix Released |
Changed in linux-ti-omap4 (Ubuntu Maverick): | |
assignee: | nobody → Paolo Pisati (p-pisati) |
status: | New → In Progress |
Changed in linux-fsl-imx51 (Ubuntu): | |
status: | New → Invalid |
Changed in linux-fsl-imx51 (Ubuntu Dapper): | |
status: | New → Invalid |
Changed in linux-fsl-imx51 (Ubuntu Hardy): | |
status: | New → Invalid |
Changed in linux-fsl-imx51 (Ubuntu Karmic): | |
status: | New → Invalid |
Changed in linux-fsl-imx51 (Ubuntu Maverick): | |
status: | New → Invalid |
Changed in linux-fsl-imx51 (Ubuntu Natty): | |
status: | New → Invalid |
Changed in linux-fsl-imx51 (Ubuntu Lucid): | |
assignee: | nobody → Paolo Pisati (p-pisati) |
status: | New → In Progress |
Changed in linux-fsl-imx51 (Ubuntu Lucid): | |
status: | In Progress → Fix Committed |
tags: |
added: kernel-cve-tracking-bug removed: kernel-cve-tracker |
Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package linux-fsl-imx51 - 2.6.31-610.28
---------------
linux-fsl-imx51 (2.6.31-610.28) lucid-proposed; urgency=low
* Release tracking bug
- LP: #837802
[ Upstream Kernel Changes ]
* ipv6: make fragment identifications less predictable, CVE-2011-2699
- LP: #827685
- CVE-2011-2699
* perf: Fix software event overflow, CVE-2011-2918
- LP: #834121
- CVE-2011-2918
* proc: fix oops on invalid /proc/<pid>/maps access, CVE-2011-1020
- LP: #813026
- CVE-2011-1020
linux-fsl-imx51 (2.6.31-610.27) lucid-proposed; urgency=low
* Release tracking bug
- LP: #829160
[ Upstream Kernel Changes ]
* fs/partitions/
oops
- LP: #795418
- CVE-2011-1577
* Fix corrupted OSF partition table parsing
- LP: #796606
- CVE-2011-1163
* can: Add missing socket check in can/bcm release.
- LP: #796502
- CVE-2011-1598
* proc: protect mm start_code/end_code in /proc/pid/stat
- LP: #799906
- CVE-2011-0726
* sctp: Fix a race between ICMP protocol unreachable and connect()
* tty: Make tiocgicount a handler, CVE-2010-4076, CVE-2010-4077
- LP: #794034
- CVE-2010-4077
* filter: make sure filters dont read uninitialized memory CVE-2010-4158
- LP: #721282
- CVE-2010-4158
* bio: take care not overflow page count when mapping/copying user data
CVE-2010-4162
- LP: #721441
- CVE-2010-4162
* block: check for proper length of iov entries in blk_rq_
- LP: #721504
- CVE-2010-4163
* block: check for proper length of iov entries earlier in
blk_
- LP: #721504
- CVE-2010-4163
* rds: Integer overflow in RDS cmsg handling, CVE-2010-4175
- LP: #721455
- CVE-2010-4175
* bluetooth: Fix missing NULL check CVE-2010-4242
- LP: #714846
- CVE-2010-4242
* IB/uverbs: Handle large number of entries in poll CQ CVE-2010-4649
- LP: #800121
- CVE-2010-4649
* epoll: prevent creating circular epoll structures CVE-2011-1082
- LP: #800758
- CVE-2011-1082
* nfs4: Ensure that ACL pages sent over NFS were not allocated from the
slab (v3) CVE-2011-1090
- LP: #800775
* ldm: corrupted partition table can cause kernel oops CVE-2011-1012
- LP: #801083
- CVE-2011-1012
* netfilter: ipt_CLUSTERIP: fix buffer overflow CVE-2011-2534
- LP: #801473
- CVE-2011-2534
* netfilter: arp_tables: fix infoleak to userspace CVE-2011-1170
- LP: #801480
- CVE-2011-1170
* netfilter: ip_tables: fix infoleak to userspace CVE-2011-1171
- LP: #801482
- CVE-2011-1171
* ipv6: netfilter: ip6_tables: fix infoleak to userspace CVE-2011-1172
- LP: #801483
- CVE-2011-1172
* econet: 4 byte infoleak to the network CVE-2011-1173
- LP: #801484
- CVE-2011-1173
* net: Limit socket I/O iovec total length to INT_MAX.
- LP: #708839
* fs/partitions: Validate map_count in Mac partition tables -
CVE-2011-1010
- LP: #804225
- CVE-2011-1010
* drm: fix unsigned vs signed comparison issue in modeset ctl ioctl,
CVE-2011-1013
- LP: #804229
- CVE-2011-1013
...
Changed in linux-fsl-imx51 (Ubuntu Lucid): | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #6 |
This bug was fixed in the package linux-ti-omap4 - 2.6.35-903.24
---------------
linux-ti-omap4 (2.6.35-903.24) maverick-proposed; urgency=low
* Release tracking bug
- LP: #838037
[ Upstream Kernel Changes ]
* ipv6: make fragment identifications less predictable, CVE-2011-2699
- LP: #827685
- CVE-2011-2699
* perf: Fix software event overflow, CVE-2011-2918
- LP: #834121
- CVE-2011-2918
* proc: fix oops on invalid /proc/<pid>/maps access, CVE-2011-1020
- LP: #813026
- CVE-2011-1020
linux-ti-omap4 (2.6.35-903.23) maverick-proposed; urgency=low
* Release tracking bug
- LP: #829655
[ Upstream Kernel Changes ]
* drm/radeon/kms: check AA resolve registers on r300, CVE-2011-1016
- LP: #745686
- CVE-2011-1016
* drm/radeon: fix regression with AA resolve checking, CVE-2011-1016
- LP: #745686
- CVE-2011-1016
* can-bcm: fix minor heap overflow
- LP: #690730
* CAN: Use inode instead of kernel address for /proc file, CVE-2010-4565
- LP: #765007
- CVE-2010-4565
* av7110: check for negative array offset
- LP: #747520
* xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1,
CVE-2011-0711
- LP: #767740
- CVE-2011-0711
* ALSA: caiaq - Fix possible string-buffer overflow
- LP: #747520
* IB/cm: Bump reference count on cm_id before invoking callback,
CVE-2011-0695
- LP: #770369
- CVE-2011-0695
* RDMA/cma: Fix crash in request handlers, CVE-2011-0695
- LP: #770369
- CVE-2011-0695
* Treat writes as new when holes span across page boundaries,
CVE-2011-0463
- LP: #770483
- CVE-2011-0463
* net: clear heap allocations for privileged ethtool actions
- LP: #686158
* usb: iowarrior: don't trust report_size for buffer size
- LP: #747520
* fs/partitions/
CVE-2011-1017
- LP: #771382
- CVE-2011-1017
* Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the signal
code
- LP: #747520
* Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo
- LP: #747520
* exec: make argv/envp memory visible to oom-killer
- LP: #690730
* next_pidmap: fix overflow condition
- LP: #772560
* proc: do proper range check on readdir offset
- LP: #772560
* ALSA: sound/pci/asihpi: check adapter index in hpi_ioctl, CVE-2011-1169
- LP: #785331
- CVE-2011-1169
* mpt2sas: prevent heap overflows and unchecked reads, CVE-2011-1494
- LP: #787145
- CVE-2011-1494
* agp: fix arbitrary kernel memory writes, CVE-1011-2022
- LP: #788684
- CVE-1011-2022
* can: add missing socket check in can/raw release, CVE-2011-1748
- LP: #788694
- CVE-2011-1748
* agp: fix OOM and buffer overflow
- LP: #788700
* drivers/
memory - CVE-2010-3296
- CVE-2010-3296
* drivers/net/eql.c: prevent reading uninitialized stack memory -
CVE-2010-3297
- CVE-2010-3297
* inet_diag: Make sure we actually run the same bytecode we audited,
CVE-2010-3880
- LP: #711865
- CVE-2010-3880
* setup_arg_pages: diagnose excessive argume...
Changed in linux-ti-omap4 (Ubuntu Maverick): | |
status: | In Progress → Fix Released |
Accepted linux-ec2 into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Thank you in advance!